On Fri Aug 09, 2002 at 07:33:09PM -0400, Oden Eriksson wrote: > [...] > > > > The last problem _was_ with privsep disabled. It still does not work. > > > Sorry to ask but have you tested it? Chage user, set password change > > > time in the past and try to log in (using public key as in my case). > > > > Yup, you're absolutely right. The way privsep is written changes the > > way the whole pam interaction is done. > > > > Unfortunately, there is no easy way around this except to downgrade to > > a pre-3.3p1 version. =( > > Or perhaps just ignore the privsep bsd shit and continue as before?, the huge > security hole is gone anyway...
That's the problem.. you can't. Disabling privsep doesn't remove it from the code. The introduction of privsep changed some of the fundamental code in openssh; as it's been pointed out before, password aging just doesn't work period in openssh right now, regardless of whether privsep is enabled or not. So, to continue on as before, would be to downgrade openssh to a pre-privsep version. > Ignore privsep and move on, or turn mandrake into bsd? Can't ignore it. Hopefully in the future we can, and have everything work as before. Better yet, I'm hoping privsep starts to work properly and we don't have to ignore but can use it. I really like the concept of privsep.. it's the implementation and the way this whole mess came about that leaves a bitter taste in my mouth. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg69794/pgp00000.pgp
Description: PGP signature
